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Secure and Trustworthy Internet of Things 


The evolving nature of the internet is creating new opportunities to connect 
devices, applications, and services on a scale that will transform daily 
interactions with our physical environment, work, and society. The Internet 
of Things (loT) carries enormous potential to change the world for the 
better. Projections for the impact of the loT on the internet and the global 
economy are significant, forecasting explosive growth in the number of 
loT devices and their use in various applications. Globally, machine-to- GY 
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Billions of loT devices, applications, and services are already in use, with more coming 
online each day, and every new device can expand opportunities for malicious actors 

to disrupt the digital ecosystem. Some estimates conclude that cyberattacks on loT 
devices in the first half of 2019 increased by 300 percent compared to the second half of 
2018.7 As the loT continues to grow, loT security is therefore of the utmost importance. 





1 Cisco, Cisco Annual Internet Report (2018-2023), https://www.cisco.com/c/en/us/solutions/collateral/executive- 
perspectives/annual-internet-report/white-paper-c11-741490. pdf. 


2 F-Secure, Attack Landscape H1 2019, https://blog-assets.f-secure.com/wp-content/uploads/2019/09/12093807/2019 
attack _landscape_report.pdf; see also Zak Doffman, "Cyberattacks On IOT Devices Surge 300% In 2019, ‘Measured 
In Billions‘, Report Claims,” Forbes (September 14, 2019), httos://www.forbes.com/sites/zakdoffman/2019/09/14/ 
dangerous-cyberattacks-on-iot-devices-up-300-in-2019-now-rampant-report-claims/#220ecd435892. 
































Inadequately secured loT devices and services can serve as entry points for cyberattacks, 
compromising sensitive data and threatening the safety of individual users. Attacks on 
infrastructure and other users, fueled by networks of poorly secured loT devices, can 
affect the delivery of essential services such as health care and basic utilities, put the 
security and privacy of others at risk, and threaten the resilience of the internet globally. 


These challenges provide ample reason to bring together governments and the 
technology industry to increase the security of the loT. Policymakers must take action to 
create spaces where challenges can be explored, and solutions identified. 


As trusted leaders in the global software industry, BSA members are at the forefront of loT 
innovation, including advancements in loT security. BSA endorses a series of principles for 
building trust in the loT that embody a responsible, risk-based approach to government 


loT security policy. 


BSA loT SECURITY POLICY PRINCIPLES 


Governments should develop loT security policies that: 


1 


Account for the 
loT ecosystem’s 
diversity and 
complexity. 


5 


Build on industry 
best practices. 


9 


Support 
development 
and use of 
internationally 
recognized loT 
standards. 


2 


Define key 
concepts and 
requirements 

clearly. 


6 


Incentivize 
security 
throughout the 
loT life cycle. 


10 


Establish 
baseline security 
requirements as 

necessary and 
appropriate. 


3 


Secure the whole 
loT ecosystem, 
not just devices. 


7 


Embrace multi- 
stakeholder 
processes. 


11 


Integrate 
security into loT 
acquisition. 





4 
Distinguish 
between 
consumer loT 


and industrial 
loT (IloT). 


8 


Seek national 
and international 
policy 
harmonization. 


12 


Include loT 
in incident 
response. 


loT Security Policies Should Account for the loT Ecosystem’s 
Diversity and Complexity 


Though there is no widely accepted, singular definition of loT, the term generally 
describes the network of physical objects—"things”—that are embedded with sensors, 
software, and other technologies for the purpose of connecting and exchanging data with 


other devices and systems over the internet. 


loT systems often include device elements, such as sensors and actuators, data processors, 
and user interfaces, and network elements, like gateways and cloud infrastructure. 








KEY ELEMENTS 


loT Devices. loT devices can connect to and are in regular connection with 

the internet, and have computer processing capabilities that can collect, send, 

or receive data. loT devices may incorporate user interfaces, data processors, 
and potentially multiple sensors—for example, loT devices can contain GPS, 
accelerometer, and camera sensors. Devices may be complex systems, such as 
programmable logic controllers, or may be so simple that they have no operating 
system. 


» 


» 


» 


Sensors and Actuators. Sensors collect data from the surrounding environment. 
This collected data can have varying degrees of intricacy, ranging from simple 
temperature monitoring to a complex video feed. Actuators receive information 
from sensors and turn it into physical action, such as prompting an electric motor 
or hydraulic system to activate. 


Data Processors. Data processors refer to components that perform operations 
to covert data into useful insights, which can be interpreted and used for 
analysis. Data processing functions can range from simple, such as checking that 
pressure readings are within an acceptable range, to complex, like identifying 
objects in a video using computer vision. 


User Interfaces. User interfaces consist of features through which end users 
interact with the loT system, including screens, pages, buttons, forms, icons, and 
text. User interfaces are closely related to the user experience, the interactions a 
user has with a product and the portals or applications used to remotely manage 
loT devices. 


Networks. Networks allow data collected by loT devices to be transported to a 
cloud infrastructure. loT devices can be connected to the cloud through various 
mediums of communication and transports, such as cellular networks, satellite 
networks, Wi-Fi, Li-Fi, and Bluetooth. 5G networks, with new edge computing 
capabilities, will create myriad new possibilities for the use and management of loT 
devices. Related to networks, gateways and cloud infrastructure are other important 
components of the loT ecosystem. 


» 


» 


Gateways. Gateways manage data traffic between loT devices and the networks 
to which they connect. They may include hardware and/or software elements; for 
example, in a home environment, a router often serves as a gateway between 
the home Wi-Fi network and the internet service provider. Gateways can be 
configured to perform pre-processing of the collected data from thousands of 
sensors locally before transmitting it to the next stage. Another gateway function 
is to translate different network protocols and make sure connected devices and 
sensors are interoperable. Gateways can also offer a certain level of security for 
the network and transmitted data with higher order encryption techniques. It 
acts as a middle layer between devices and the cloud to protect the system from 
malicious attacks and unauthorized access. 


Cloud Infrastructure. Cloud infrastructures refer to distributed computing 

and database management systems optimized to efficiently handle massive 
amounts of data. Cloud servers offer tools to collect, process, manage, and 

store large amounts of data in real-time, integrating inputs from many sensors, 
devices, gateways, and protocols. They also enable the creation of virtual or 
containerized environments in which customized security controls and other rules 
can be applied to a specified group of systems, creating powerful tools for loT 
device management. 
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These various components illustrate that the loT is not a monolith, but rather a complex 
system of different devices, communication networks, interfaces, and people. Complex 
supply chains, potentially including many third parties, make security evaluations 
challenging and require that systems be secured holistically with coordination among 
different parties and parts of the system. Moreover, the loT includes elements, such as 
cloud services and telecommunications networks, that may be subject to other policy 
regimes. 





© n 
Governments should holistically consider the complexity and diversity of the 
loT ecosystem, recognizing the unique role each part of the system plays and how + 
those parts interact, and design policies that are technology-neutral and flexible to 
accommodate such complexity. Moreover, loT security policies must be aligned and 
comport with security policies impacting various elements of the loT ecosystem, 
such as cloud and 5G security. 


Clearly communicated, 
user-friendly loT 
security policies ensure 
that consumers can 
easily understand 
device security 
practices and features. 





loT Security Policies Must Define Key Concepts and 
Requirements Clearly 


As governments formulate loT security policies, policymakers must ensure technical 
definitions and security requirements are clearly defined. Specific, understandable 
definitions that follow international, consensus-driven, widely adopted standards for key 
terms, such as “loT” and “loT device,” are critical to clearly communicating policies’ 
scope and intent to consumers, industry, and other stakeholders, and to avoiding the 
creation of fragmented definitions. Similarly, security requirements within loT security 
policies must be clearly defined. If policymakers choose to require specific security 
measures, these policies should create proper incentives for manufacturers to adopt 
established international standards that outline such capabilities and protocols that are 
appropriate and reasonable (e.g., at the International Organization for Standardization or 
International Electrotechnical Commission), and avoid codifying today’s capabilities and 
practices, which may become quickly outdated. Clearly communicated, user-friendly loT 
security policies ensure that consumers can easily understand device security practices 
and features, and that loT manufacturers and vendors can efficiently address security 
priorities. Key definitions and requirements in loT security policies are often overly broad 
or omitted entirely, creating confusion for consumers and businesses. 











© N 
Governments must clearly define key concepts and requirements related to loT 
security consistent with international norms to the greatest extent possible. 





DEFINING “loT DEVICE” 


Policymakers should ensure loT security policies define which devices are covered 
with the greatest specificity and clarity possible. In general, loT security policies 
should use a definition for “loT device” that: 


» Refers to a device that is designed to connect to a network and includes 
computer processing capabilities necessary to collect, send, or receive data; 


» Refers to a finished product available to end users that is usable for its intended 
functions without being embedded or integrated into any other product and is 
not a component [It is possible that some loT devices may be used within larger 
systems, which together constitute a composite loT device (consider a “smart + 
bus” that itself has many connected loT devices, such as a connected camera or 


connected digital display, inside of it), but even in such composite loT devices, Increasingly, 
any incorporated device must be able to function separately to be considered an innovative approaches 
loT device itself]; to securing loT 


devices depend 
on technologies or 
methodologies that 


» Acknowledges that loT devices are designed to be connected to a broader 
ecosystem that includes other components, devices, and systems; and 


» Does not include general computing devices, including personal computing are not device-based. 
systems, smart mobile communications devices, and mainframe computing 
systems. 


loT Security Policies Should Secure the Whole loT Ecosystem, 
Not Just Devices 


Depending on the operating environment, many different risk-based approaches exist 
that achieve desired security outcomes. Increasingly, innovative approaches to securing 
loT devices depend on technologies or methodologies that are not device-based. In 
some cases, these approaches may substitute for device-centric security measures. 


Many efforts to develop loT security guidance have been narrowly focused on device 
characteristics. Security approaches that consider the ecosystem perspective suggest that 
loT device security best practices are undoubtedly important, but equally important is the 
security of all the elements in the loT system. Moreover, security efforts must be aligned: 
policymakers must ensure that device-centric security policies do not undermine the 
ability of vendors and customers to innovate and apply extra-device security measures. 
For example, policies should avoid password requirements for loT devices that interrupt 
single sign-on identity management technologies that improve both security and user 
experience. 


Similarly, many security experts argue all loT devices should be able to receive secure 
patches or updates. This feature enables vendors to better maintain their devices, 
including mitigating discovered vulnerabilities, but can bring trade-offs in terms of 
the cost, time-to-market, and complexity of the device. However, device capabilities 
may be limited due to use requirements that may prevent the implementation of such 








features. One emerging alternative is the creation of customized cloud environments 
to which administrators can apply security rules tailored to the devices managed within 
the environment—including applying “virtual patches” that mitigate particular device 
vulnerabilities without the need to install new software on the device itself. 


Another example is the “Manufacturer's Usage Description” (MUD), a protocol that 
enables devices to communicate critical information to routers to enable their secure 
management. In this case, devices—which contain a software tag listing information about 
the device's data, communication protocols, and usage patterns—work in tandem with 
routers, which apply security rules and identify anomalous behavior based on published 
information about the devices. 
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Governments should drive a risk-based approach to trust and safety by 
considering all elements within the ecosystem, including software, firmware, and 
hardware deployed throughout loT technologies, and avoiding device-centric 
policies that disrupt development and application of sophisticated network-based 


security measures. : 


. a TO : Enterprise and 
loT Security Policies Should Distinguish Between Consumer ET 
and Industrial loT (IloT) technologies 
often function in 
highly managed 
environments using 
sophisticated network 
defenses. 





Consumer loT solutions—for example, wearables, smart home applications, and personal 
health monitoring devices—are generally targeted to individual users or families. They 
tend to be used in environments that are unmanaged or subjected to limited network 
administration, and that use minimal security services or none at all. These devices could 
last many years, but tend to be rapidly replaced with newer versions launched with the 
advent of new generations of technology. 


The IloT refers to the extension and use of the loT in industrial sectors and applications. 
With a strong focus on M2M communication, big data, and machine learning, the lloT 
targets existing automated industrial systems looking for dramatic improvements in 
productivity and efficiency, such as in large-scale factories or manufacturing plants. Other 
examples of IloT technologies include connected HVAC systems, smart grid technologies, 
and interconnected medical devices in an operating room. Furthermore, commercial or 
enterprise technologies should generally be addressed by policies relating to industrial, 
rather than consumer, loT. Enterprise loT refers to applications in commercial office 
buildings, supermarkets, hotels, health care facilities, and retail stores, among others. 
Enterprise and industrial loT technologies often function in highly managed environments 
using sophisticated network defenses. Additionally, policymakers may want to separately 
consider IloT deployed in critical infrastructure sectors, due to the importance of 

these applications to national security, public health or safety, economic vitality, or any 
combination thereof. 


Consumer loT and IloT solutions differ in their network environments, levels of risk, 
support life cycles, and complexity. 


» Network Environment. Consumer loT is used by the general public in their homes 
or offices. These users usually do not receive any cybersecurity training before the 
technology is deployed. Additionally, the equipment, such as home routers, and 
networks that consumer loT connects to are rarely professionally managed. In contrast, 
lloT solutions are usually deployed and maintained by in-house cyber professionals. The 
networks IloT connects to are also in most cases managed by security experts deploying 
complex network defenses, since IloT often supports critical industry functions. 





» 


» 


» 





Risk. Consumer loT and IloT present different security risks because these 
technologies are applied in drastically different environments. Common risks posed by 
consumer loT include botnets, ransomware, and identity theft, since these solutions 
are often used by the average person on their home equipment and network. Because 
lloT is often deployed in critical infrastructure environments, such as at manufacturing 
plants and power stations, lloT security incidents risk equipment failure, loss of critical 
data, business and societal disruptions, or even injury and loss of life. The complexity 
of IloT systems also provides a larger attack surface for malicious actors. 


Support Life Cycle. Technical security support for consumer loT is relatively limited 
compared to IloT. Consumer loT solutions often implement security measures that are 
utility-centric, prioritizing the user experience and ease with which a consumer may 
use the product. Conversely, IloT solutions often use advanced and robust security 
measures and protocols. Consumer loT vendors may service their loT devices, but 
consumers often do not have access to enterprise management tools and may replace 
devices every few years. Devices in the lloT often require long-term investments in 
security, which include maintenance from in-house and field service technicians to 
sustain the levels of performance required by industrial systems. Additionally, lloT 
sensors are often installed to measure parameters at remote infrastructure that is 
difficult to physically access, such as at oil and gas facilities located under the surface 


or offshore. Internal management capabilities can include sensor replacement, Consumer loT and 
firmware upgrades, and management of gateways and server configurations, to name lloT present different 
a few examples. security risks because 


these technologies 
are applied in 
drastically different 
environments. 


Complexity. Consumer loT products require less integration compared to IloT 
solutions. lloT systems are applied in complex environments with extensive legacy 
operations technology (OT). OT refers to the networking of operational processes 

and industrial control systems (ICSs), including human machine interfaces (HMIs), 
supervisory control and data acquisition (SCADA) systems, distributed control systems 
(DCSs), and programmable logic controllers (PLCs). IloT solutions must reliably 
integrate with these existing manufacturing systems, meaning patch management and 
other key security measures are much more complicated in these environments. 


SPECTRUM OF CONSUMER AND INDUSTRIAL loT APPLICATIONS 
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Policymakers should consider these important differences in consumer loT and IloT, and 
prioritize loT security guidance and initiatives based on risk. 
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O should address the different risks posed by consumer loT and IloT 
technologies, rather than pursuing one-size-fits-all approaches. Policies for consumer 
devices may need to prioritize building security into devices, since consumers may 
not have the resources to create secure, managed environments; on the other hand, 
industrial users may need more flexibility to tailor security measures to their unique, 
complex operating environments. 





loT Security Policies Should Build on Industry Best Practices 


Many technology companies are at the forefront of security innovation and with decades 

of experience developed best practices for loT security. Many BSA members compete on 
security. However, not every business has the knowledge and expertise to make informed 
decisions about security when developing and deploying loT technologies. Governments can 
enable better security outcomes by promoting best practices that range from security-by- 
design principles to sector-specific product development and risk assessment guides. 


In particular, many best practices incorporate risk-based approaches to addressing security. 
Risk-based frameworks help policymakers, device manufacturers, and users understand and 
address the risks most likely to impact specific devices in the specific contexts in which they 
are used. Risk-based frameworks should incorporate analysis of risks to users (such as identity 
theft and reputational damage), to impacted systems or assets, including cybersecurity 

risks (such as disruption of key functions) and physical risks (damage to or destruction of 
physical systems), and to the broader ecosystem (such as cooption by a botnet or economic 
disruption). Risk-based frameworks should be the centerpiece of policy approaches to loT 
security. 


Industry consensus-building efforts have made significant progress in developing widely 
accepted loT security guidance. For example, the BSA Framework for Secure Software? 
draws on best practices from leading enterprise software companies to provide software 
development organizations, their customers, and policymakers with guidance for assessing 
and encouraging security across the software life cycle, including the software that powers 
loT solutions. Furthermore, the C2 Consensus on loT Security Capabilities* brings together 
a group of 20 major cybersecurity and technology organizations to provide guidance to loT 
device manufacturers on important security capabilities that loT devices need to meet the 
market's expectations for security and harmonize policies around the world. Policymakers 
should look to these industry-developed guides to inform more effective loT security policies 
that reduce fragmentation and promote good cyber hygiene among various industry sectors 
and parts of the loT ecosystem. 
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Government loT security policies should be informed by the expertise of industry 
leaders and incorporate widely accepted, industry-developed, risk-based loT security 
best practices to elevate the security of the entire loT market. 








3 BSA Framework for Secure Software, https://www.bsa.org/reports/bsa-framework-for-secure-software. 





4 The C2 Consensus on loT Security Baseline Capabilities, https://securingdigitaleconomy.org/projects/c2-consensus/. 








loT Security Policies Should Incentivize Security Throughout 
the loT Life Cycle 


Security should be built into every stage of an loT solution's life cycle, from development 
to decommissioning. In addition to secure development and security-by-design 
approaches, long-term security requires a life cycle management approach for 
maintaining software, hardware, and firmware components and addressing vulnerabilities 
post-deployment. Vulnerabilities are often identified by independent security experts and 
others in research communities, and reported to vendors. As part of a holistic approach 
to product maintenance and vulnerability management, vendors should establish clear 
procedures for receiving and addressing such third-party reports. Security professionals 
have developed guidance and standards on coordinated vulnerability disclosure (CVD) 
programs: to address this critical need; all such programs should be aligned with the 
internationally recognized ISO/IEC 29147 and 30111 standards. 


To improve security outcomes throughout the loT life cycle, policymakers should 
incentivize businesses to voluntary establish CVD processes that (1) align with 
internationally recognized standards, particularly ISO/IEC 29147 and 30111; (2) avoid 
counterproductive requirements, such as artificial mitigation timelines; and (3) reflect 
a holistic approach to vulnerability management throughout the life cycle of the loT 
solution. 


End-of-life policies are also an essential part of a holistic approach to product 
maintenance and vulnerability management. End-of-life refers to the date a product 
supplied to end users is determined to be at the end of its useful life (from the vendor's 
point of view) and the vendor stops marketing, selling, or sustaining the product. The 
continued use of unsupported loT products and services or the abrupt termination of 
support can have serious consequences, particularly because out-of-date loT products are 
more likely to be vulnerable to hackers and bugs, which could create vulnerabilities for 
other systems connected to these loT technologies. 


To comprehensively address security throughout the loT life cycle, policymakers should 
also incentivize businesses to voluntarily establish end-of-life policies that (1) are updated 
based on the latest projections regarding end-of-life and end-of-life dates for the loT 
product or service; and (2) are flexible enough to allow for changing circumstances. 
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Governments should incentivize businesses to voluntarily establish CVD 
processes and end-of-life policies to promote security throughout the loT life cycle. 





loT Security Policies Should Embrace Multistakeholder 
Processes 


loT is a challenging policy area, as it is a quickly developing environment and its 
technology spans many industries and uses. As the loT market rapidly evolves, many in 
industry, including BSA members, have been at the forefront of developing innovative 
and responsible security methods and practices in the loT space. Governments can learn 
from and incorporate the expertise industry has developed by formulating loT security 
policies through a multistakeholder process that is open, transparent, and consensus- 





5 For more on software vulnerability disclosure, see BSA Guiding Principles for Coordinated Vulnerability Disclosure, 
https://www.bsa.org/files/policy-filings/2019globalbsacoordinatedvulnerabilitydisclosure.pdf. On hardware vulnerability 
disclosure, see Center for Cybersecurity Policy and Law, “Improving Hardware Component Vulnerability Disclosure,” 
https://centerforcybersecuritypolicy.org/improving-hardware-component-vulnerability-disclosure. 
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In addition to secure 
development and 
security-by-design 
approaches, long- 
term security 
requires a life 

cycle management 
approach for 
maintaining software, 
hardware, and 
firmware components 
and addressing 
vulnerabilities post- 
deployment. 





based. Additionally, a multistakeholder process allows policymakers to learn from and 
incorporate the perspectives of others focused on loT, including consumer groups and 
academics. 


A multistakeholder process can also bring together the various manufacturers, 
vendors, and consumers that develop, sell, and use loT products. Even though loT 
technology spans many industry sectors, all who develop and use loT solutions should 
prioritize security to protect an entire loT system against cyber threats. Participants in a 
collaborative approach to loT security will have the opportunity to share best practices 
and lessons learned, encourage security dialog, and develop flexible, shared security 
solutions that can adapt and evolve as threats change over time. A collaborative 
approach, one that draws on the expertise and engagement of a wide range of 
stakeholders, is needed to develop effective and appropriate loT security policies. 
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Governments should initiate, lead, and support multistakeholder activities 
and working groups, collaborate with industry and others to understand evolving 
threats, and develop best practices for loT security based on existing, consensus- 
based guidelines. 





loT Security Policies Should Seek National and International 
Policy Harmonization 


Numerous governments, including at the national level (Australia,ć the European 
Union,’ Japan,® Singapore,’ and the United Kingdom") and the state or provincial level 
(California! and Oregon” in the United States) have developed initiatives to address 
loT security. As more governments rightly focus on this pressing issue, the risk of 
fragmentation among policies increases. National and international fragmentation in 
governments’ loT security policies is problematic because loT solutions are inherently 
interconnected and interdependent, and because fragmented policies can cause 
difficulties for manufacturers selling similar products in different markets that may have 
divergent or contradictory requirements. Such outcomes can reduce competitiveness 
and stifle innovation, thus undermining the ability of users to access the most secure 
technologies. 


As government approaches to loT security take shape, multinational technology 
companies developing loT devices and their components will face an increasingly 
complex landscape of policy guidance, regulatory requirements, and standards. 
Manufacturers of loT solutions want to market their devices worldwide, no matter 
where the underlying code was developed or the devices were manufactured. Such 





6 See Department of Home Affairs, Draft Code of Practice: Securing the Internet of Things for Consumers, https://www. 
homeaffairs.gov.au/reports-andpubs/files/code-of-practice.pdf. 





7 See ENISA, Good Practices for Security of Internet of Things in the Context of Smart Manufacturing, https://www.enisa. 
europa.eu/publications/qood-practices-for-security-of-iot; see also ENISA, loT Security Standards Gap Analysis, https:// 





www.enisa.europa.eu/publications/iot-security-standards-gap-analysis. 





8 See Ministry of Economy, Trade and Industry, loT Security Guidelines ver. 1.0 Formulated, https://www.meti.go.jp/english/ 





press/2016/0705 01.html. 


? See Infocomm Media Development Authority, Guidelines: Internet of Things (loT) Cyber Security Guide, https://www. 
imda.gov.sq/-/media/imda/files/requlation-licensing-and-consultations/consultations/open-for-public-comments/ 
consultation-for-iot-cyber-security-quide/imda-iot-cyber-security-quide.pdf. 











[e] 


See Department for Digital, Culture, Media & Sport, Code of Practice for Consumer loT Security, https://www.gov.uk/ 
government/publications/code-of-practice-forconsumer-iot-security. 





See SB-327 Information Privacy: Connected Devices (California Legislative Assembly, 2017-2018), https://leginfo. 
legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327. 


See Enrolled House Bill 2395 (80th Oregon Legislative Assembly, 2019), https://olis.leg.state.or.us/liz/2019R1/ 
Downloads/MeasureDocument/HB2395/Enrolled. 
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businesses will be harmed by national and international policy landscapes that are 
disjointed, incoherent, and conflicting; such an outcome will suppress innovation and 
competitiveness. Harmonizing approaches to loT security is a critical goal for the global 
economy. 





© A 
Government loT security policies should be informed by, and to the extent 
possible, aligned with other similar efforts underway around the world. 





loT Security Policies Should Support the Development and 
Use of Internationally Recognized loT Standards 


Several internationally recognized technical security standards are applicable to 

loT technologies. These security standards provide widely vetted, consensus- 

based information and guidance for defining and implementing effective security 
methodologies, and facilitate common approaches to common challenges, thus enabling 
collaboration and interoperability. loT standards promote interoperability across various 
use case deployments, vendors, sectors, and geographies, and will maintain the long- 
term viability of the loT and encourage the equitable distribution of the benefits and 
security of loT solutions. Employing greater interoperability and the use of open, 
voluntary, and widely available standards as technical building blocks for loT devices 

will support greater user benefits, innovation, and economic opportunity.'? Regulations, 
certifications, and other government policies on loT should be grounded in consensus- 
based, internationally recognized security standards wherever they exist. Where loT 
standards do not yet exist, policymakers should refrain from mandating technical 
approaches to loT, and, instead, encourage industry, researchers, and other stakeholders 
to work together on the development of open, consensus-based standards that support 
interoperability. This can be done by supporting existing standards development 
committees and by funding academic research into areas where evolving standards will be 
required, such as M2M interoperability. 





oP 
Government loT security policies should be tied to global, voluntary, and 
consensus-based standards wherever they exist, support the development of 
new internationally recognized loT security standards, and refrain from localized 
standards or certifications that diverge from international best practices. 





loT Security Policies Should Establish Baseline Security 
Requirements as Necessary and Appropriate 


As governments develop loT security policies, considering the complexities of the 

loT ecosystem and the differences between consumer loT and IloT, policymakers may 
determine loT security regulations are required in some areas—in these specific contexts, 
policymakers may wish to identify core security capabilities in security guidance. Core loT 
security capabilities consist of activities related to cybersecurity that are recommended 
for manufacturers to address in all applicable loT products. These activities can help 





13 Alignment with international standards can encourage broad adoption of a government's security initiative or policy. 
For example, the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure 
Cybersecurity is aligned with internationally recognized standards and used worldwide, as demonstrated by the 
Framework's four translations and five adaptations by international governments. For more information, see NIST, 
International Perspectives, https://www.nist.gov/cyberframework/international-perspectives; see also NIST, International 





Resources, https://www.nist.gov/cyberframework/international-resources. 











manufacturers lessen the cybersecurity burden on loT device customers, which in turn can 
reduce the prevalence and severity of loT device compromises and attacks performed 
using compromised loT devices. 


Security capabilities must address the entire usable life cycle of the loT device, including 
the manufacturing, deployment, usage, transfer of ownership, decommissioning, and 
eventual destruction of the loT device. Therefore, necessarily different stakeholders and 
responsible parties exist across the entire usable life cycle. 


Depending on the context, core loT security capabilities policymakers may consider 
include encryption, patchability, identity management, root of trust, and a secure 
development life cycle (SDLC). Such baseline requirements should always be aligned 
with internationally recognized standards and remain sufficiently flexible to account for 
technological developments. 


» Encryption. loT technologies should be developed in accordance with an encryption 4 
strategy that defines what data should be encrypted and which encryption mechanisms ; AR 
should be used, depending on how the device is deployed and the inherent privacy Security capabilities 
and security risks with its use. must address the 

entire usable life 

» Patchability. Particularly for consumer loT products that are not expected to be cycle of the loT 
used within a managed security environment, loT technologies should be capable of device, including 
receiving—either remotely or in-person—secure updates and security patches. the manufacturing, 


deployment, usage, 
transfer of ownership, 


» Identity Management. loT technologies that handle sensitive information or otherwise 
control access should support strong identity management and authentication, 


including by applying current industry best practices on passwords and other user decommissioning, and 
credentials. eventual destruction 


of the loT device. 


» Root of Trust. loT technologies should as appropriate ground security mechanisms in 
roots of trust to achieve stronger security assurances. Roots of trust are highly reliable 
hardware, firmware, and software components that perform specific, critical security 
functions. Because roots of trust are inherently trusted, they must be secure by design. 
As such, many roots of trust are implemented in hardware so that malware cannot 
tamper with the functions they provide. Roots of trust provide a firm foundation from 
which to build security and trust. 


» Secure Development Life Cycle. BSA members have been industry leaders in 
developing the concept of the SDLC, which includes robust attention to security 
considerations during a product's development, management of security issues 
throughout the product's life cycle, and iterative learning to improve development 
processes based on analysis of vulnerabilities or flaws as they are discovered. An 
SDLC— including vendor commitments to embrace secure development best 
practices, manage supply chain risk, mitigate identified vulnerabilities, and address 
end-of-life considerations—is critical for hardware, firmware, and software elements 
of loT devices. The BSA Framework for Secure Software provides guidance on SDLC 
elements for software. 





© n 
To the extent policymakers determine risks necessitate loT security policies 
include specific security requirements, core security capabilities, including 
encryption, patchability, identity management, root of trust, and secure 
development life cycle, should align with widely accepted international standards, 
which are regularly updated to keep pace with the latest technology and security 
practices. 











PRIVACY AND loT 


Securing loT data is critical for mitigating both security and privacy risks. As 

loT devices proliferate markets worldwide, consumers’ ability to meaningfully 
control their data becomes increasingly important. Data privacy best practices 
can reinforce security procedures and should be adapted to loT environments, 
reflecting both the sensitivity of the collected data and the purpose for which it is 
used. While these principles focus on loT security, policymakers should consider 
complementary approaches to protect consumers’ privacy when using loT 
technologies. Comprehensive approaches to data privacy, which encompass data 
collected by loT applications, can help ensure technologies safeguard consumers’ 
privacy. 


loT Security Policies Should Integrate Security Into loT 
Acquisition 


As consumer and industry loT technologies become more pervasive in the coming years, 
government use of loT solutions is also expected to increase. In developing procurement 
guidelines and setting policies for measuring supply chain risks that are informed by 
information-driven, risk-based analysis, agencies can positively affect the cybersecurity of 
civilian government. Equally critical, prioritizing security in loT procurement can benefit 
consumers by incentivizing the broader loT market to produce more secure products. 


Policymakers considering stronger procurement practices for loT devices, platforms, and 
services should ensure that policies are aligned with available internationally recognized 
standards and emphasize adherence to best practices in security. Secure solutions, 

with multi-layered hardware- and software-level capabilities, should therefore be a 
procurement priority for government loT. 





© D 
Governments should incentivize departments and agencies in the procurement 
process to prioritize secure, interoperable, and scalable loT solutions for assets 
based on voluntary, industry-led, consensus-based, global guidelines. 





loT Security Policies Should Factor loT Into Incident 
Response 


As loT applications proliferate and deliver benefits to consumers and industrial users, 
governments should factor loT into incident and emergency responses. Responding 

to and resolving large-scale loT incidents can be especially challenging, given that 

loT attacks can be complex and dynamic, and may involve cyber and physical threats. 
Policymakers must incorporate loT considerations into the development of incident 
response plans and policies, which should address the potential speed and scale of loT 
attacks. Additionally, policymakers should consider how loT technologies can improve 
emergency planning and responses, including through mission-critical logistics support 
and communications, emergency calling, and public warning systems. 





© A 
Governments should integrate loT into incident response planning, including 
policies and programs for loT incidents and emergency responses. 











loT technologies are rapidly transforming daily lives and business processes. As loT 
solutions become more ubiquitous, policymakers will need to act swiftly to promote 
security throughout the loT ecosystem. Representing leaders in cybersecurity and loT 
innovation, BSA strongly supports responsible, risk-based approaches to loT security. 
The principles outlined above will guide governments in tackling this complex policy 
issue, and BSA would welcome opportunities to collaborate with policymakers in driving 
security throughout the loT marketplace. 
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